NERC to beef up, prioritize cyber incident reporting under new rule

By: Robert Walton

Dive Brief:

Federal regulators issued a final rule Thursday, giving the North American Electric Reliability Corp. (NERC) six months to modify the Critical Infrastructure Protection Reliability Standards, with an aim of expanding reporting requirements for cyber incidents.

The Federal Energy Regulatory Commission (FERC) also directed NERC to consider the threat level when developing reporting thresholds and timelines and increased the number of agencies who will receive the incident reports.

Dive Insight:

Current rules only require the reporting of a cyber incident if one or more reliability tasks have been disrupted or compromised. NERC will now develop rules that require incident reporting under significantly broader scenarios.

The order directs NERC to update rules focused on incident reporting and response planning. The new rules would require a report if an entity’s Electronic Security Perimeter or associated Electronic Access Control or Monitoring System (EACMS) are compromised — or if there is an attempt to compromise them.

The new rules also call for standardizing cybersecurity incident reports and sharing them with another agency. Each year, NERC will file a public and anonymized summary of the reports with FERC.

Incident reports will continue to be sent to the Electricity Information Sharing and Analysis Center and will be shared with the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team.

NERC will have some discretion in developing the reporting rules; FERC’s order directs it to “develop requirements based on the function of the EACMS and the nature of the attempted compromise or successful intrusion.”

Reporting timelines will also need to be developed that correspond to the potential impact of an intrusion.

Thomas Popik, Chairman, and President of the Foundation for Resilient Societies, previously told Utility Dive in an interview that the low threshold for reporting cyber incidents is, in fact, “an enormous gap,” that can lead to a false sense of security.